Method for processing encoded data for first domain received in a network pertaining to a second domian

ABSTRACT

The invention relates to a method of processing data, encrypted according to an encryption method specific to a first domain such that they cannot be decrypted without the aid of a first secret specific to the first domain, these data being received in a presentation device connected to a network belonging to a second domain. The method comprises the steps consisting, for the presentation device, in: (a) transmitting to a processing device connected to the network at least a portion of said encrypted data; (b) receiving from said processing device at least one element being used to decrypt said received data with the aid of a second secret specific to the second domain, the second secret being contained in the presentation device.

SCOPE OF THE INVENTION

The present invention relates to the field of protection against copyingdigital data and against illegal access to such data, in particular whenthe data is circulating in local digital networks such as digitaldomestic networks.

STATE OF THE ART

It is known practice in the context of protection against illicitcopying of digital data from systems in which a digital content may becopied for use in a determined domain. Domain is intended to mean a setof installations belonging for example to one and the same domesticnetwork, these installations sharing a secret specific to the domain,for example a cryptographic encryption key. An installation belonging toa domain may be a portable installation. Its membership of a particulardomain will be determined by its knowledge of the secret specific tothat particular domain.

The digital content of such a domain may be of three sorts:

-   -   “free copy”: this type of content may be recorded and played        back in any domain, so it is not necessary to know a secret        specific to a domain to read this type of content;    -   “private copy”: this type of content can be copied only for a        particular domain in which it can be played back; the content is        recorded in a form that requires the knowledge of the secret of        the particular domain to be able to be played back. This type of        content cannot be read on a device that does not belong to the        particular domain;    -   “read only”: this type of content may only be read in a        particular domain but it cannot be copied; or, if copies of the        content are made, they cannot be played back thereafter.

A digital content usually enters a domain through an access device or asource device. This type of device retrieves digital data through achannel external to the domain and broadcasts them to the other devicesof the domain, for example by using a digital bus connecting thedifferent installations of the domain. A source device may in particularbe a digital decoder intended to receive video programs from outside adigital domestic network via a satellite antenna or a cable connection,in order to broadcast them in the network. It may also be an opticaldisk drive broadcasting in a domestic network (audio and/or video) dataread on an optical disk (the disk in this case contains data originatingfrom outside the network).

Inside the domain, the digital content may be recorded by digitalrecording devices such as a DVD (“Digital Versatile Disc”) recorder or ahard disk.

Finally, the content is presented to the users of the domain bypresentation devices. These devices are suitable for receiving thecontent of the domain (particularly the digital data circulating in adigital domestic network) in order to process it (particularly in orderto decrypt it if necessary) and present it to the end user. Thisparticularly involves television receivers used to view video data orhi-fi installations to listen to audio data.

A source device usually contains a module known as a “conditionalaccess” module or a digital rights management module (“DRM”) dependingon whether the content is respectively a “broadcast content” or a“broadband content”. These modules manage the protection of the contentput in place by the content provider.

For example, considering pay television programs, the content provider,that is to say the program broadcaster, usually provides the digitalprograms in scrambled form (that is to say encrypted) using keys calledcontrol words, the control words themselves being transmitted with thedata in encrypted form in messages called “ECM” (“Entitlement ControlMessage”). The content provider also provides the subscribers who havepaid to receive the programs with the key by which to decrypt thecontrol words and with a conditional access module containing, amongstother things, the algorithm for decrypting the control words (the keyand the conditional access module are preferably included in a smartcard). It is also the content provider who defines the rules of use ofthe content provided, that is to say who defines whether the content isof the “free copy”, “private copy” or “read only” type.

In the system of protection against copying known by the name ofSmartRight™ (SmartRight is a registered trademark of THOMSONmultimedia), the source devices convert the received contents accordingto the rules of use of those contents.

When a content received by a source device of a given domain is of the“private copy” type, the content is converted in such a way that it canbe decrypted only by presentation devices belonging to that particulardomain (and therefore all sharing one and the same secret). The Frenchpatent application No. 01 05568, filed on Apr. 25, 2001 in the name ofthe applicant THOMSON Licensing S.A., concerning a symmetric keymanagement method in a communication network, describes in particularhow this conversion is carried out so that only the presentation devicesknowing a secret key of the communication network are capable ofdecrypting the content to read it.

It will be noted that, in the rest of the description, the terms “secretkey” or “symmetric key” will be used to designate a cryptographic keyused in a symmetric encryption or decryption algorithm, such as thealgorithm known by the name of AES (acronym for “Advanced EncryptionStandard”) or by the name of “Rijndael” and described in particular inthe document entitled “Proceedings from the first Advanced EncryptionStandard Candidate Conference, National Institute of Standards andTechnology (NIST), August 1998, J. Daemen and V. Rijmen”.

When a content received by a source device is of the “read only” type,the content is also converted by this source device by using the methoddescribed in the abovementioned patent application such that it can beread only by the presentation devices of the network which know thenetwork secret key. In addition, a method described in French patentapplication No. 00 15894, filed on Dec. 7, 2000 in the name of THOMSONmultimedia, is implemented so that the content cannot be copied in thedomain or, if copied, it cannot be played back by the presentationdevices of the domain.

When a content received in a domain is of the “free copy” type, it isusually in clear and is left in that form by the source device which hasreceived the content to broadcast it in the domain.

Thanks to this system, it is possible for a user, who receives a contentafter having paid the provider of that content the relevant fees, tokeep a private copy of that content for his later personal use. Thiscopy may be read only by the presentation devices of his domain, that isto say of the domain in which the content was initially received.

Nevertheless, there are situations in which it is desirable to be ableto play back a private copy made in a first domain on a presentationdevice of a second domain. In particular, if a user wants to view on thedomain of a friend the copy of a film made on his own domain, naturallywithout a copy being able to be made for the domain of the friend.

This may also be necessary in the event of union or of separation ofusers. In the case of union, if each user previously had his own domain,the two domains cannot be linked together because the installations ofthe two domains do not share the same secret. In this case, if the twousers do not wish to manage two different domains, the content recordedpreviously on a first domain will have to be able to be played back onthe second domain. Likewise, when there is a need to separate one domaininto two different domains (because spouses are separating or a childleaves the home of its parents), the contents previously recorded on thecommon domain need to be able to be read on the two new domains.

The present invention aims to resolve the abovementioned problems.

DESCRIPTION OF THE INVENTION

Accordingly, the invention relates to a method of processing data,encrypted according to an encryption method specific to a first domainsuch that they cannot be decrypted without the aid of a first secretspecific to said first domain, said data being received in apresentation device connected to a network belonging to a second domain.According to the invention, the method comprises the steps consisting,for the presentation device, in:

-   -   (a) transmitting to a processing device connected to the network        at least a portion of said encrypted data;    -   (b) receiving from said processing device at least one element        being used to decrypt said received data with the aid of a        second secret specific to said second domain, said second secret        being contained in the presentation device.

Thus the decryption of the data is delegated to a processing devicewhich knows the first secret specific to the first domain and whichperforms a process on the portion of the data that it receives such thatthe presentation device of the second domain can decrypt the receiveddata simply by knowing the second secret specific to the second domain.

In addition, since the secret of the first domain is not transmitted tothe presentation device of the second domain, it can decrypt thereceived data only when the processing device is connected to thenetwork of the second domain.

According to a particular embodiment of the invention, the data receivedin the presentation device are encrypted with the aid of a firstsymmetric key, said first symmetric key being received with said data ina form encrypted with the aid of the first secret. In this embodiment,step (a) consists in transmitting to the processing device the firstsymmetric key encrypted with the aid of the first secret; and step (b)consists in receiving from the processing device: the first symmetrickey encrypted with the aid of a second symmetric key; and the secondsymmetric key encrypted with the aid of the second secret specific tothe second domain.

According to a particular feature of the invention, the method alsocomprises the steps consisting, for the presentation device, in:

-   -   (c) decrypting, with the aid of the second secret, the second        encrypted symmetric key;    -   (d) decrypting, with the aid of the second symmetric key, the        first encrypted symmetric key; and    -   (e) decrypting the data received by said presentation device        with the aid of the first symmetric key.

According to a particular embodiment of the invention, the method alsocomprises, before step (a), a step consisting, for the presentationdevice, in generating a random number, the random number beingtransmitted to the processing device, in step (a), with the encryptionof the first symmetric key. In this embodiment, the data received instep (b) contain a random number and the first symmetric key encryptedwith the aid of the second symmetric key; step (d) also comprises thedecryption, with the aid of the second symmetric, of the encryptedrandom number received in step (b); and the method also comprises,before step (e), a verification step to verify that the random numberdecrypted in step (d) is identical to the random number generated beforestep (a); step (e) being performed only in the event of positiveverification.

According to another feature of the invention, a domain identifier iscontained in the data received by the presentation device; the domainidentifier is transmitted to the processing device during step (a); andstep (b) is performed only if the processing device contains the samedomain identifier.

BRIEF DESCRIPTION OF THE DRAWINGS

Other features and advantages of the invention will appear through thedescription of particular nonlimiting embodiments explained with the aidof the attached figures, in which:

FIG. 1 is a block diagram of a digital domestic network interconnectingdevices belonging to a first domain;

FIG. 2 is a block diagram of a domestic network comprising devicesbelonging to a second domain illustrating one embodiment of theinvention;

FIG. 3 is a timing diagram illustrating exchanges of keys between twodevices in the domestic network in FIG. 2;

FIG. 4 is a timing diagram illustrating the exchanges of data betweendevices on the domestic network in FIG. 2 that can be used to read(without copying) in the second domain a content recorded in the firstdomain.

DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION

Initially, in relation to FIG. 1, an example of domestic network will bedescribed in which a system of protection against copying is implementedso that private copies of the digital content can be made for future useonly in the domestic network in which it has been copied.

The network comprises a source device 1, a presentation device 2 and arecording device 3 connected together by a digital bus 4, which is forexample a bus according to standard IEEE 1394.

The source device 1 comprises a digital decoder 10 furnished with asmart card reader fitted with a smart card 11. This decoder receives thedigital data, particularly the audio/video programs distributed by aservice provider.

The presentation device 2 comprises a digital television receiver (DTV)20 furnished with a smart card reader fitted with a smart card 21 andthe recording device 3 is in particular a digital video cassetterecorder (DVCR).

The digital data that enters the network via the source device 1 areusually data scrambled by a content provider, for example according tothe pay television principle. In this case, the data are scrambled withthe aid of control words (CW) which are themselves transmitted in thedata stream in a form encrypted with the aid of an encryption key K_(F)while being contained in entitlement control messages (ECM). Theencryption key K_(F) is provided to users who have paid to receive thedata, in particular being stored in a smart card. In the example in FIG.1, the smart card 11 contains such a key K_(F) and a conditional accessCA module 14 capable of decrypting the control words CW.

The source device 1 which receives these scrambled digital data formatsthem so that they are broadcast over the digital network in a protectionformat specific to the domestic network. The decoder 10 comprises an“ECM unit” module 13 which extracts from the received data stream theECM messages containing the control words encrypted with the aid of thekey K_(F) in order to transmit them to the CA module 14. The latterdecrypts the control words CW and transmits them to a converter module12 also contained in the smart card 11.

The role of the converter module 12 is to convert the informationcontained in the ECM messages into LECM (“Local Entitlement ControlMessage”) messages protected with the aid of a secret key specific tothe local domestic network, which will be called the key K_(N1).

It is assumed that the converter module has previously randomlygenerated a symmetric key K_(C) and has requested the encryption of thatkey K_(C) with the aid of the network secret key K_(N1). The convertermodule therefore has in memory the key K_(C) and the key K_(C) encryptedby the network secret key K_(N1): E{K_(N1)}(K_(C)).

In the rest of the description, the notation E{K}(M) will always be usedto signify encryption with a key K of the data M.

The abovementioned French patent application No. 01 05568 describes indetail the method which allows the converter module to obtain theencryption of the key K_(C) with the aid of the network secret keyK_(N1), this encryption being carried out in a presentation device.Specifically, the presentation devices of the network, such as thedevice 2 in FIG. 1, are the only ones to have the network secret keyK_(N1). The latter is contained in the smart card 21 with a terminalmodule 22 responsible, amongst other things, for the operations ofencryption and decryption with the network key K_(N1).

The system operates as follows. When the digital data are received inthe decoder 10, the “ECM unit” module 13 extracts the ECM messagescontaining the control words CW encrypted with the aid of the key K_(F)specific to the content provider and provides them to the CA module 14.The latter decrypts the control words CW and transmits them to theconverter module 12. In addition, the ECM message may also containinformation concerning control of the copying of the transmitted contentindicating whether or not the content may be freely copied in thenetwork or whether the content may only be viewed (or listened to, etc.)in the network. This information is also transmitted to the convertermodule.

The converter module then constructs an LECM message based on thesedata. This message preferentially comprises;

-   -   a portion A in clear containing in particular the information        concerning control of the copying of the content, that is to say        indicating whether the content is of the “free copy”, “private        copy” or “read only” type; this information is often denoted VCI        (“Viewing Control Information”). The portion in clear also        contains the key K_(C) encrypted with the network key:        E{K_(N1)}(K_(C)).    -   a portion B, encrypted with the key K_(C), and containing        essentially the decrypted control word CW; this portion can be        summarized as: E{K_(C)}(CW).    -   an integrity field formed by the result of a hash function        applied to all the portions A and B before encryption of the        portion B. This integrity field is advantageously used to verify        the validity of the LECM messages and to ensure that they are        not illicitly modified.

The LECM message is then transmitted to the ECM unit which inserts itinto the data stream in the place of the ECM messages. It should benoted that, when the received content is not already in scrambled formas described above and does not contain any ECM message, the convertermodule 12 is responsible in this case for putting the data in this formso that the data stream broadcast over the network 4 is always in datapacket form like the packet 40 represented in FIG. 1 containing an LECMmessage and scrambled data.

The content of this packet can be summarized as follows:

-   -   LECM|E{CW}(<data>); or:    -   E{K_(N1)}(K_(C))|VC|E{K_(C)}(CW)|Integrity field|E{CW}(<data>);    -   where “|” represents the concatenation operator.

When these data packets are received by the digital television receiver20, they are transmitted to the “LECM unit” module 23 which extractsfrom them the LECM messages in order to transmit them to the terminalmodule 22. The latter first decrypts E{K_(N1)}(K_(C)) with the aid ofthe key K_(N1) to obtain the key K_(C). Then, with the aid of the keyK_(C), it decrypts E{K_(C)}(CW) to obtain the control word CW which ittransmits to the “LECM unit” module 23. The latter is then able todescramble the data E{CW}(<data>) with the aid of the control word. Theunscrambled data are then presented to the user. In the case of videodata, the data may be viewed on the television receiver 20.

If the data stream containing the packets 40 is recorded by the digitalvideo cassette recorder 3 to be played back later, it is noted that thisis not possible unless the presentation device on which the data are tobe presented contains the secret key K_(N1) of the domain in which thedata were recorded. In what follows, this domain will be called N1.

Remember that, in the example in FIG. 1, the domain is the digitaldomestic network and all the installations connected to it and alsoportable presentation installations (not shown) which are likely to beconnected to the domestic network and which belong to the members of thefamily owning the domestic network. The portable presentationinstallations (for example compressed music file readers) are consideredto form part of the domain N1 when they contain the secret key K_(N1).Refer to the abovementioned French patent application No. 01 05568 for adescription of how the secret key of the domain N1 is transmitted to thenew presentation devices which “enter” the domain (for example when amember of the family buys a new installation).

Now suppose that a user, having recorded a content (for example a film)of the “private copy” type on his domain N1, wants to be able to view iton a television receiver belonging to another domain which will becalled N2.

In this case, the user inserts for example a cassette containing thefilm into a digital video cassette recorder of the domain N2. This videocassette recorder will broadcast the film over the domestic network ofthe domain N2 so that it is viewed on a television receiver of thedomain N2. But since the latter does not know the secret key of thedomain N1, K_(N1), it will not be able to decrypt the content of theLECM messages and therefore will not be able to descramble the data topresent the film to the user.

There follows a description of how, thanks to the invention, it will bepossible to view in the domain N2 the content recorded as “private copy”in the domain N1 without, however, it being possible to make a copy ofthat content for the domain N2, or at least such that, if a copy is madein the domain N2, this copy cannot be played back in the domain N2.

For this, a special module is provided combining the functionalities ofa converter module and a terminal module and preferentially included ina smart card. This will be referred to hereafter as either theterminal/converter module or the terminal/converter card.

This module will first have to be initialized in the domain N1 toreceive the secret of the domain N1, that is the key K_(N1), then itwill be connected to the domain N2 to perform the decryption of theencrypted portions with the key K_(N1) of the data packets forming thecontent.

Greater detail will now be given of how these steps are performed.

FIG. 2 represents schematically the digital domestic network of a domainN2 in which the preferred embodiment of the invention is implemented.Only the elements necessary to the comprehension of the invention areshown.

In this network, a digital bus 204 interconnects a digital videocassette recorder 203, a presentation device 202 and a source device201. The digital bus 204 is preferentially a bus according to thestandard IEEE 1394. The presentation device 202 comprises a digitaltelevision receiver DTV 220 which comprises an “LECM unit” module 223and a smart card 221 comprising a terminal module 222. The secret key ofthe domain N2: K_(N2), is stored in the smart card 221.

The source device 201 comprises a digital decoder 210 which comprises an“ECM unit” module 213. Into the decoder 210 is inserted aterminal/converter card 211 which comprises a terminal module 214 and aconverter module 212. This card 211 is inserted in the place of a“converter” card, that is to say of a smart card containing a convertermodule such as the card 11 in FIG. 1, into the source device 201.

In practice, the terminal/converter card 211 belongs to the user of thedomain N1 and the latter inserts it into a source device (or into apresentation device as will be seen in a second embodiment) of thedomain N2 when he wants to view in the domain N2 a content recorded as“private copy” in the domain N1.

The terminal module 214 contains the secret key of the domain N1 whichit received during an initialization phase of the terminal/convertercard 211 in the domain N1.

Specifically, before being connected to the network of the domain N2,the terminal/converter card 211 was first connected to the network ofthe domain N1 by being inserted into a presentation device of N1 insteadof the “terminal” card (a smart card containing a terminal module likethe card 21 in FIG. 1) that is usually there. The terminal module 214was then considered “virgin”, that is to say not belonging to anydomain.

The terminal module 214 then received from the “originator” device ofthe domain N1 the secret key KN, before becoming “sterile”.

The terms “virgin”, “originator” and “sterile” are defined in theaforementioned French patent application No. 01 05568 and designaterespectively a presentation device (or more precisely its terminalmodule):

-   -   which is not connected to any domain and contains no domain        secret key (“virgin” terminal module or device);    -   which has the secret key of a domain and can transmit it to a        new virgin presentation device likely to be connected to the        domain (“originator” terminal module or device); and    -   which has the secret key of a domain but cannot transmit it to        another device (“sterile” terminal module or device).

The aforementioned patent application also describes the mechanisms forsecure transmission of the secret key between the different devices.

After this initialization phase in the domain N1, the terminal/convertercard 211 is then connected to a domain N2 in which it is desired to viewa content recorded as “private copy” in the domain N1. In FIG. 2, it isinserted into the digital decoder 210 of the source device 201.

FIG. 3 illustrates the steps that are carried out after theterminal/converter card 211 has been connected to the network of thedomain N2.

During a first step 100, a symmetric key K′_(C) is generated randomly bythe converter module 212 of the terminal/converter card 211 and isstored in the card 211.

During the next step 101, the source device 201 broadcasts a requestmessage over the network of the domain N2 to receive a public key of apresentation device on the network. Each presentation device has ineffect a pair of asymmetric keys stored in the smart card which containsthe terminal .module. For example, the presentation device 202 in FIG. 2has a public key K_(PUB) _(—) _(T2) and a private key K_(PRI) _(—)_(T2). These keys are used in a manner known per se to carry outencryption or decryption operations with the aid of asymmetriccryptographic algorithms (for example the RSA algorithm, from the nameof its creators Rivest, Shamir and Adleman).

Any presentation device of the domain N2 may respond to this request101. It is assumed in what follows that the presentation device 202responds to the request by sending its public key K_(PUB) _(—) _(T2) tothe source device 201 in step 102.

The converter module 212 then carries out the encryption of thesymmetric key K′_(C) with the aid of the public key K_(PUB) _(—) _(T2)received (step 103), then it sends the result of this encryptionE{K_(PUB) _(—) _(T2)}(K′_(C)) to the presentation device 202 (step 104).The latter decrypts the received result with the aid of its private keyK_(PRI) _(—) _(T2) to obtain K′_(C) (step 105). It then proceeds (step106) with the encryption of K′_(C) with the secret key of the domain N2,K_(N2), to obtain E{K_(N2)}(K′_(C)), which is the result that it sendsto the source device 201 in step 107. This result E{K_(N2)}(K′_(C)) isstored in the terminal/converter card 211 in the next step 108.

The terminal/converter card is now ready to carry out the decryption ofthe “private copy” content of the domain N1 for the domain N2.

There now follows a description, with reference to FIG. 4, of theprocess used for this.

FIG. 4 uses three downward vertical axes t to represent the time axis toillustrate the processes performed by the digital video cassetterecorder DVCR 203, the presentation device 202 and theterminal/converter card 211 and the exchanges between these elementswhen a new content originating from the domain N1 is broadcast over thedigital domestic network of the domain N2.

Initially, the user inserts for example the video cassette containingthe video program recorded in the domain N1 into the digital videocassette recorder 203 of the domain N2. The video cassette recorderbroadcasts the data recorded on the cassette in conventional manner overthe network of the domain N2.

It is assumed that the user wants to view the content on thepresentation device 202. He therefore sets this device to the broadcastchannel of the digital video cassette recorder 203 to receive the data.

These data broadcast in step 401 in FIG. 4 contain data packets like thefollowing packet:

-   -   LECM1|E{CW}(<data>), or    -   E{K_(N1)}(K_(C))|E{K_(C)}(CW)|Integrity field|E{CW}(<data>),        where the Integrity field is computed as follows:    -   Hash (E{K_(N1)}(K_(C))|CW),    -   where “Hash (x)” represents a hash function, that is to say a        mathematical function which converts an input data set “x” into        a data set “y” of fixed size, often smaller than the input data        size, and representative of the input data; this function is        also a one way function, that is to say that, knowing “y” it is        impossible to find “x” again, such as y=Hash(x). Preferentially,        the SHA-1 function described in document “Secure Hash Standard,        FIPS PUB 180-1, National Institute of Standard Technology,        1995”is used.

When such a data packet is received in the presentation device 202, the“LECM unit” module 223 extracts the LECM1 message from the data packetand transmits it to the terminal module 222.

The latter will first detect, in step 402, that this LECM1 messageoriginates from a domain different from the domain N2.

For this, according to a first preferred variant of embodiment, theLECM1 message also contains in its portion in clear, that is to say inits portion that has not been encrypted by the key K_(C), a domainidentifier ID_(N1). This identifier identifies the domain N1 in uniquemanner and is for example the result of a hash function applied to thesecret key of the domain N1, K_(N1). The identifier ID_(N1) is containedin any terminal card of a presentation device of the domain N1. It isalso contained in this case in the terminal/converter card 211.

The terminal card 221 of the presentation device 202 also contains, inaddition to the secret key of the domain N2, an identifier of the domainN2: ID_(N2). The terminal module 222 therefore compares the identifierID_(N1) contained in the LECM1 message with the identifier contained inthe terminal/converter card ID_(N2). When the two identifiers aredifferent, the terminal module 222 deduces from them that the receivedLECM1 message originates from a domain different from the domain N2.

According to a second variant of embodiment, the LECM1 message containsno domain identifier. The terminal module 222 in this case will use theIntegrity field of the LECM1 message to verify whether or not thismessage originates from the domain N2.

Specifically, if the terminal module 222 decrypts the LECM1 message withthe key K_(N2) and applies the aforementioned hash function “Hash(x)” tothe decrypted data, the result obtained will be different from theIntegrity field of the LECM1 message and the terminal module will deducefrom this that the LECM1 message originates from a domain different fromN2.

In the next step 403, the terminal module 222 generates a random numberR. This number is preferentially generated by a pseudo-random numbergenerator well known per se. The number R is a challenge used to prevent“replay attacks” (attacks consisting in replaying recorded messages).The number R is temporarily stored in step 403 in a secure memory zoneof the card 221.

The presentation device 202 then broadcasts over the network, in step404, a message containing the following data:

-   -   R|E{K_(N1)}(K_(C))|ID_(N1)

The identifier ID_(N1) is included in this message only in the firstvariant of embodiment described above.

This broadcast is made using the asynchronous channel of the bus 204 bywhich the command messages usually travel (the transmission via theasynchronous channel of the bus 204 is represented by a dashed arrow inFIG. 4).

The source device 201 which receives this message transmits it to theterminal/converter card 211.

The next step 405 takes place only in the context of the aforementionedfirst variant of embodiment and consists in verifying that theidentifier included in the message received in step 404 is identical tothe one contained in the terminal/converter card 211. If the twoidentifiers are not identical, then the process stops because theterminal/converter card 211 is not capable of decrypting the informationE{K_(N1)}(K_(C)). If the identifiers are identical, however, the processcontinues with step 406 during which the terminal/converter carddecrypts E{K_(N1)}(K_(C)) with the aid of the key K_(N1) to obtain thekey K_(C).

In the case where the second variant of embodiment is used, step 405does not occur and any terminal/converter card connected to the networkof the domain N2 will perform step 406 and the subsequent ones 407 and408.

In step 407, the terminal/converter card encrypts the data R and K_(C)with the key K′_(C) and then it constructs the following message:

-   -   E{K_(N2)}(K′_(C))|E{K′_(C)}(R|K_(C))    -   which it transmits to the presentation device 202, still via the        asynchronous channel of the bus 204, in step 408.

In step 409, the terminal module 222 decrypts E{K_(N2)}(K′_(C)) with thekey K_(N2) to obtain the key K′_(C) with which it decryptsE{K′_(C)}(RlK_(C)) to obtain R|K_(C) in the next step 410.

Then, in step 411, the terminal module 222 verifies that the number Rfound in step 410 is indeed the same as that which was generated andstored in step 403. If this is not the case, the process stops becausethis means that the message received in step 408 is not valid.

If the verification is positive, the process continues, in step 412,with the decryption of the LECM1 message with the aid of the key K_(C)obtained in step 410. More precisely, the information E{K_(C)}(CW) isdecrypted to obtain the control word CW in clear.

In step 412 the terminal module 222 also verifies the integrity of theLECM1 message by computing:

-   -   Hash (E{K_(N1)}(K_(C))|CW) based on the data decrypted above and        comparing this result with the Integrity field of the LECM1        message.

When the second variant of embodiment mentioned above is implemented,the presentation device 202 may where necessary receive several messagesof the type sent in step 408 if several terminal/converter cards areconnected to the network of the domain N2. In this case, the terminalmodule 222 performs the steps 409 to 412 for each message received instep 408 and, when the verification of the integrity of the LECM1message is correct, the terminal module deduces from it that the messagereceived in step 408 is the one originating from the terminal/convertercard of the domain N1.

If the integrity verification fails in all cases, then the process isstopped. Provision can be made in this case to present a warning messageintended for the user.

Otherwise, the terminal module 222 transmits the decrypted control wordto the “LECM unit” module of the television receiver 220 and the lattercan thus descramble, in step 413, the data of the data packet receivedin step 401.

The presentation device 202 is also capable, thanks to the key K_(C)that it temporarily stores, of decrypting the subsequent data packets ofthe content broadcast by the digital video cassette recorder 203 whilethe LECM1 messages of these packets are protected by the same key K_(C).If ever the key K_(C) changes, then the steps 403 to 412 are repeated sothat the presentation device 202 receives the new key K_(C) from theterminal/converter card 211.

Then, when all the data packets forming the content have been receivedand decrypted by the presentation device 202, the latter erases from itsmemory in step 414 the number R and the key K_(C) that it hadtemporarily stored to make the above computations.

FIG. 2 illustrates an embodiment in which the terminal/converter card211 is inserted into a source device of the domain N2, instead of theconverter card which is normally there.

But it is also possible, in a second embodiment, to insert theterminal/converter card into a presentation device of the domain N2,instead of the terminal card that is normally there. The processoperates in the same manner as has been described with reference toFIGS. 3 and 4. However, in this case, the domain N2 must naturallycomprise at least two presentation devices so that at least one of thedevices can retain its terminal card containing the domain key K_(N2) inorder to apply the steps that are illustrated in FIGS. 3 and 4.

The invention is not limited to the exemplary embodiments that have justbeen described. In particular, it applies equally to digital domesticnetworks in which the data (particularly the LECM messages) areprotected with the aid of a pair of asymmetric keys specific to thedomain to which the network belongs, the public key of the network beingcontained in the source devices in order to encrypt the data and theprivate key being contained in the presentation devices in order todecrypt the data. In this case, after the initialization phase, theterminal/converter card must contain the private key of the first domainN1 and the public key of the second domain N2 to be capable ofdecrypting the data encrypted for the first domain and to re-encryptthem so that they can be decrypted by a presentation device of thesecond domain.

Likewise, the invention also applies in another particular case in whichthe digital data, protected by a conditional access system of a contentprovider, are received in a given domain N2 and are directly recorded ina recording device of the domain N2 without first having been“converted” by a converter module of the domain N2 to be played back inthe domain N2. When these recorded data are later received by apresentation device of the domain N2 to be presented to a user, thispresentation device is not capable of decrypting the ECMs containing thecontrol words CW protected by a secret specific to the content provider(typically, the key K_(F) appearing in FIG. 1 in the CA module 14). Inthis case it is considered that the “first domain” in the sense of thepresent invention is that of the content provider. The presentationdevice then broadcasts the ECM messages over the network of the domainN2 so that they are converted by a converter module of the domain N2(associated with a conditional access module of the content provider)into LECM messages that can be decrypted with the aid of the secret ofthe domain N2.

1. A method of processing data, encrypted according to an encryptionmethod specific to a first domain such that they cannot be decryptedwithout the aid of a first secret specific to said first domain, saiddata being received in a presentation device connected to a networkbelonging to a second domain, wherein it comprises the steps consisting,for the presentation device, in: (a) transmitting to a processing deviceconnected to the network at least a portion of said encrypted data; (b)receiving from said processing device at least one element being used todecrypt said received data with the aid of a second secret specific tosaid second domain, said second secret being contained in thepresentation device.
 2. The method as claimed in claim 1, wherein thedata received in the presentation device are encrypted with the aid of afirst symmetric key, said first symmetric key being received with saiddata in a form encrypted with the aid of the first secret; in that step(a) consists in transmitting to the processing device the firstsymmetric key encrypted with the aid of the first secret; and in thatstep (b) consists in receiving from the processing device: said firstsymmetric key encrypted with the aid of a second symmetric key; and thesecond symmetric key encrypted with the aid of the second secret(K_(N2)) specific to the second domain.
 3. The method as claimed inclaim 2, wherein it also comprises the steps consisting, for thepresentation device, in: (c) decrypting, with the aid of the secondsecret, the second encrypted symmetric key; (d) decrypting, with the aidof the second symmetric key, the first encrypted symmetric key; and (e)decrypting the data received by said presentation device with the aid ofthe first symmetric key.
 4. The method as claimed in claim 3, wherein italso comprises, before step (a), a step consisting, for the presentationdevice, in generating a random number, said random number beingtransmitted to the processing device, in step (a), with the encryptionof the first symmetric key; and in that the data received in step (b)contain a random number and the first symmetric key encrypted with theaid of the second symmetric key; step (d) also comprising thedecryption, with the aid of the second symmetric, of the encryptedrandom number received in step (b); and the method also comprising,before step (e), a verification step to verify that the random numberdecrypted in step (d) is identical to the random number generated beforestep (a); step (e) being performed only in the event of positiveverification.
 5. The method as claimed in claim 1, wherein a domainidentifier is contained in the data received by the presentation deviceand in that said domain identifier is transmitted to the processingdevice during step (a); step (b) being performed only if said processingdevice contains the same domain identifier.